Yahoo, eBay take steps to block phishing attacks

Brian Winer of Los Angeles uses an eBay kiosk to check on an item he has for sale during the Consumer Electronics Show in Las Vegas, Nevada January 6, 2006.

Reuters/Steve Marcus/Files

SAN FRANCISCO Yahoo Inc, is working with auction leader eBay Inc and its PayPal payments unit to block fake e-mails to users purporting to be from eBay and PayPal, hoping to spur on an industry that has been slow to fight the scourge of so-called phishing attacks.

EBay and PayPal have upgraded their computer systems to support an emerging technology standard known as DomainKeys invented by Yahoo that authenticates e-mail senders are who they say they are, allowing Yahoo to block fake e-mails.

The technology upgrade will be made available to Yahoo Mail users worldwide over the next several weeks, the company said.

"It is a big step forward for consumers in defense against the bad guys," John Kremer, vice president of Yahoo Mail, said in a phone interview.

Along with banks and pharmaceutical makers, eBay and PayPal are among the brands most targeted by phishers seeking to trick consumers into divulging personal information such as credit card or password data in order to commit financial fraud.

Over the past decade, phishing has been clogging the inboxes of e-mail users worldwide with ever more sophisticated attempts to fool users into clicking on fraudulent sites or giving up personal financial details to commit fraud.

But to date, many of the defenses put forward by security software vendors and industry consortiums have failed to take hold with e-mail senders due to their complexity or costliness, or political in-fighting over standards, leaving individual consumers always guessing which e-mail may be real or fake.

A PayPal official said Yahoo's system provides a way of automatically detecting potential phishing attacks without relying on the consumer to do anything new.

"If the consumer doesn't receive an email in their inbox then it is very hard for the phisher to victimize them," Michael Barrett, PayPal's chief information security officer.

FEAR OF BLOCKING LEGITIMATE E-MAIL

Two camps have emerged among technology providers seeking to develop a coherent approach to identifying e-mail senders.

One backed by Yahoo and Cisco Systems Inc. along with AOL, Google Inc, International Business Machines Corp, Sendmail and VeriSign Inc is the DomainKeys Identified Mail (DKIM) technology, which allows e-mail providers to identify the Web domain from which a sender has sent e-mail.

A second standard known as Sender Policy Network (SPF) has been led by Microsoft Corp, which offers its own version of SPF known as Sender ID. SPF-based protections are used by Amazon, AOL, GoDaddy and eBay, which supports both DKIM and SPF.

Chenxi Wang, a security analyst with Forrester Research, said DomainKeys relies on more sophisticated cryptography than the Microsoft-supported approach. This sophistication can make DomainKeys harder for Web sites to install but offers greater long-term defense against phishing attacks, she said.

So far, most customers have installed sender authentication inside their e-mail systems as a monitoring tool but do not block e-mail for fear of false positives -- mistakenly treating legitimate customer e-mail messages as phishing attempts.

However, despite the industry disagreements, an underlying consensus is emerging among software vendors, Internet service providers and corporate Web sites that digital e-mail signing in one form or another is the best shot to combat phishing.

"Two years ago if you asked companies whether they were using e-mail authentication, most people wouldn't have cared," Wang said. "Today if you ask most organizations if they think it is a good thing people would say, 'Yes.'"

"The industry is slowly coming around," Wang said. "EBay and PayPal are some of the first to actively block unauthenticated e-mails."